20 votes

How secure and private is Firefox?

I was browsing r/privacy today and I came across this guy going on about how Mozilla was just pretending to be privacy focused. Here's his comment. Now I don't really know what to think of this, and frankly, I'm getting really exhausted of hearing about how all the things I'm using aren't actually trustworthy. So can so someone put my mind to rest? Does this guy's claims have any truth to them? Thanks.

6 comments

  1. [4]
    666
    (edited )
    Link
    I don't much time to argue against the high levels of stupidity in those neocities pages so sorry for the incomplete reply. Against this one: https://spyware.neocities.org/articles/firefox.html...

    I don't much time to argue against the high levels of stupidity in those neocities pages so sorry for the incomplete reply.

    Against this one: https://spyware.neocities.org/articles/firefox.html

    • Phoning home: detectportal.firefox.com is Firefox's way to detect whether you are behind a captive portal a. There's nothing shady going on there, you can disable that service in about:config, set the preference network.captive-portal-service.enabled to false. This is not actually "phoning home" in the way it is uploading your personal data to Mozilla's servers, this is only used to detect captive portals (for example when you connect on an airport or airplane or free Wi-Fi zone and you first have to enter a username/password to be able to browse the web)
    • Automatic connections to some websites you've visited, including their trackers: this is done by the website, not by Firefox and recent Firefox versions come with built-in content blocking that can help you stop websites from doing so (go to about:preferences#privacy in Firefox). The issue the author has when opening a new tab is most likely when Firefox updates its new tab tiles (the tiny website screenshots/logos you see on the new tab page), that can be disabled by setting homepage, new window and new tab pages to blank in about:preferences#home and unchecking all boxes except web search under the Firefox Home Content title (uncheck top sites, recommended by pocket, highlights and snippets).
    • Safe Browsing: the author is right about this one and explained how it can be disabled, but disabling it is like disabling your anti-virus because it uses cloud protection. Here you have to choose between security and privacy unfortunately See @whisper's reply, I was wrong here and Firefox's implementation is privacy friendly
    • Health report and telemetry: you can see what data is being sent in the about:crashes and about:telemetry pages, if you don't want to help Mozilla fix potential bugs in your system and configuration you can disable those things in the GUI as the author explains
    • Anti-privacy search engines by default: pure paranoia, most people actually want Google as default and for those who don't Firefox offers DuckDuckGo preinstalled
    • Pocket: if you don't use it then nothing is sent to Mozilla, it's as simple as that
    • Automatic updates: more paranoia, do you want to be vulnerable to the latest exploits because you forgot to manually check for updates? Also you can configure how it works (disabled, check but let you decide, fully automatic)
    • The rest: for snippets "phoning home" see above (snippets are the little text messages that appear at the bottom of the new tab page), the rest of the things can be disabled through the GUI or about:config.

    If you are still paranoid you can use ghacks user.js and disable pretty much everything.

    Is it actually spyware? Not really, Firefox asks you whether you want to enable telemetry and other kind of data collection when you install it, they are very transparent about it and don't do it in the background without letting you know. This is not the definition of spyware. I'm sorry I don't have time for the rest of the articles, I recommend you to do your own research before trusting a random neocities or reddit comment you found.

    45 votes
    1. [2]
      whisper
      (edited )
      Link Parent
      Firefox's implementation of safe browsing — called Phishing Protection — is actually privacy-friendly. Your browsing habits are not sent to Mozilla. Instead, the browser regularly downloads a file...

      Firefox's implementation of safe browsing — called Phishing Protection — is actually privacy-friendly. Your browsing habits are not sent to Mozilla.

      Instead, the browser regularly downloads a file containing a list of malicious websites (let's call this the Bad List). When you visit a website, the browser automatically searches the local Bad List to see if the website is in it. If the website is not in the local Bad List, then the browser will connect you to the website. That's it — nothing is sent to Mozilla.

      However, if the website is in the local Bad List, then the browser will send a hash of the URL to Mozilla's servers. They even add some random information called 'noise' to the hash to make it difficult (if not impossible) to turn it back into the URL. They send the hash to their servers to confirm that the URL is still in the online Bad List (which may be more up-to-date than your local Bad List). If it is not in the online Bad List, then you get connected to the site. If it is in the online Bad List, then you'll get a shiny warning page.

      More info can be found here.


      Mozilla is not perfect by any means, and they do stupid things. But, I still trust them more than any other mainstream browser developer out there. They have repeatedly shown that they are on the user's side.

      Edit 1: added corroborating source, updated nomenclature, expanded hash info

      24 votes
      1. 666
        Link Parent
        Thanks, I should have spent a little more time doing my research. I'll amend my reply.

        Thanks, I should have spent a little more time doing my research. I'll amend my reply.

        6 votes
    2. PopeRigby
      Link Parent
      Thank you. That helps. I read through it, but it was a bit confusing, so I asked Tildes.

      Thank you. That helps. I read through it, but it was a bit confusing, so I asked Tildes.

      9 votes
  2. [2]
    zaarn
    Link
    I personally stopped frequenting /r/privacy for posts like that. It's filled with people who will tinfoil the entire computer and make up or inflate the danger of certain issues. Every single time...

    I personally stopped frequenting /r/privacy for posts like that. It's filled with people who will tinfoil the entire computer and make up or inflate the danger of certain issues. Every single time when people ask how to get privacy, I get downvoted for asking what their threat model is. Or recently when they complained that the epic game launcher reads your root store for certificate authorities and your internet proxy settings. Or scans the running processes. That's perfectly normal behaviour for a game launcher of the steam type.

    Take everything you read on /r/privacy with a few tons of grains of salt. I would recommend /r/privacytoolsio over it or in general, read the blogs of security people (krebs, schneier, troy, etc.). They'll alert you when things are actually bad, /r/privacy will just make you feel unsafe.

    19 votes